Threat Intelligence Blog

Zeek-Based Security Detection & Mitigation

Posted July 11, 2019

Today, there are many open-source software projects that provide incredible value to solving a myriad of problems for security detection and mitigation, but not all frameworks necessarily translate from conception into operation easily. Zeek is different. Rooted in 20 years of research, Zeek, an open-source software project that can help security operations teams achieve more effective threat detection, bridges the gap between academia and operations.

Why Zeek?

Zeek is a network analysis framework focused on network security monitoring based on over 20 years of research. Originally developed by Vern Paxson, Zeek is an open-source project maintained by ICSI Berkeley, CA and NCSA Urbane-Champaign, IL. Zeek should be considered a worthwhile security operations capability because of its ability to be used in a flexible and adaptable manner to provide complete visibility to all network application behaviors.

As we introduced in our blog on an SDN-based approach to cybersecurity response, organizations considering what tools support requirements for SDN-based cybersecurity response should consider Zeek as a great fit including its flexibility, adaptability and in-depth analysis of network behaviors.

SDN Threat Detection with Zeek

Typically, a Zeek-based monitoring system would be deployable to a simplified SDN network as shown below:

Figure 1: Simplified SDN Network Deployment with Zeek Monitor

Within the Zeek Monitor system, a set of Zeek scripts run to perform analysis on the network traffic that it receives to identify stateful analysis on either specific patterns or behavior exhibited by the network devices and applications running through the network.

One of the key advantages to security teams is how easy it is to modify or extend Zeek based on its out-of-the-box event driven programming model. For example, a security team may wish to add specific processing logic on HTTP request messages. Without a framework like Zeek, security teams would have to consider how to capture all of the connections being made over HTTP as well as the HTTP protocol messages themselves to identify which specific set of packets represented a HTTP request message. Zeek makes this much easier by simply adding an event handler method to a Zeek script to handle the HTTP request event.

Figure 2: HTTP Request Event Handler

SDN Threat Mitigation with Zeek

Historically, Zeek has been used primarily for security detection, but also supports options for mitigation in an SDN-based environment via third-party plug-ins. Zeek supports a plug-in framework capability with the NetControl framework to send simple mitigation options to an SDN controller. For example, the diagram below shows how an updated Zeek script could send OpenFlow mitigation commands such as dropping a specific connection from a source IP based on the analysis performed by the Zeek system.

Figure 3: SDN Network with Zeek Monitor & Mitigation

In the above deployment, the Zeek system has been deployed in a passive mode where it is primarily receiving and analyzing a copy of the traffic within the SDN switch. It has the drawback that any actions that it wishes to take on active network behaviors must be shared back to the SDN controller and the controller would then send any approved action to the SDN switch.

This communication between any behavioral analysis system, such as the Zeek analysis system, to the SDN Controller to the SDN Switch may introduce significant latency impacting the ability to support certain high-speed network forwarding decisions and respond to active threats rendering the solution unusable at scale or in environments where security is paramount.

Enhanced Threat Mitigation with Zeek

However, it is possible to consider a slightly different deployment where the Zeek system is connected inline, as shown below. In this example, the Zeek system is connected between the SDN switch and the upstream network connection to the rest of the corporate network. This deployment provides controller-driven network policy to the Zeek system, while the Zeek system is able to perform real-time analysis and mitigation inline without having the latency introduced in the prior deployment. This mechanism provides for more effective security protection while utilizing the advantages of the Zeek detection options.

Figure 4: SDN Network with Inline Zeek Monitoring & Mitigation

SDN-based security solutions have an important role to play in organizations that have or are planning to adopt an SDN approach to their system deployments within the enterprise and in the cloud. Zeek-based monitoring and mitigation can provide an invaluable solution to effective security response, especially when deployed in a manner that achieves the necessary visibility and response to real-time mitigation requirements of 10G and higher network deployments.

By utilizing both SDN-based security and inline Zeek monitoring & mitigation, your organization can mitigate and analyze threats that are found real-time—providing seamless threat protection. At LookingGlass, we are embracing SDN security approaches to enterprise security monitoring and threat response.

If you would like to discuss more, please contact me on Twitter @tweet_a_t.